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From BOM(5): 


The Mac OS X Installer uses a file system "bill of materials" to determine which files to install , 
remove, or upgrade. A bill of materials, bom, contains all the files within a direc- tory, along 
with some information about each file. File information includes: the file's UNIX permissions, its 
owner and group, its size, its time of last modification, and so on. Also included are a checksum 
of each file and information about hard links. 

So essentially it's a file system stored on disk in a .CAR file and it does a ton of interesting stuff 

• Compression/Decompressions ( zlib / bz2 and HPF Plus? ) 

• Compiles regex strings 

• Supports encrypted payloads 

Using a tracing library (libtrace.dylib) and setting the DYLDJNSERTJJBRARIES environment variable you can see 
what's loading those files in the system services 

launchctl setenv DYLD_FORCE_FLAT_NAMESPACE 1 

launchctl setenv DYLDJNSERTJJBRARIES /path/to/I i btrace . dy I i b 

Turns out that Setup and SpringBoard load BOM files on startup. Here's the output of the tracing library. 


1592 ==> open(/System/Library/Frameworks/UIKit.framework/UIKit_OriginalArtwork.car) -> 5 

1593 ==> 

1 

libtrace.dylib 

0x00000001 001 433a8 open + 272 

1594 ==> 

2 

Bom 

0x00000001901 1ecd8 BomSys_open + 28 

1595 ==> 

3 

Bom 

0x00000001 901 0f7f0 BOMStorageOpenWithSys + 76 

1596 ==> 

4 

CoreUI 

0x00000001 909add2c <redacted> + 112 

1597 ==> 

5 

CoreUI 

0x00000001 909b3a08 <redacted> + 128 

1598 ==> 

6 

CoreUI 

0x00000001 909aaf70 <redacted> + 208 

1599 ==> 

7 

libdispatch.dylib 

0x00000001 982443e0 <redacted> + 16 

1600 ==> 

8 

libdispatch.dylib 

0x0000000 198249f2c <redacted> + 48 

1601 ==> 

9 

CoreUI 

0x00000001 909a5e8c <redacted> + 100 

1602 ==> 

10 

CoreUI 

0x00000001 909a4a1 4 <redacted> + 212 

1603 ==> 

11 

CoreUI 

0x00000001 909a5a8c <redacted> + 76 

1604 ==> 

12 

CoreUI 

0x0000000 1909ca8f8 <redacted> + 176 

1605 ==> 

13 

UIKit 

0x00000001 8ec384c8 <redacted> + 500 

1606 ==> 

14 

UIKit 

0x00000001 8ef01c70 <redacted> + 136 

1607 ==> 

15 

libdispatch.dylib 

0x00000001 982443e0 <redacted> + 16 

1608 ==> 

16 

libdispatch.dylib 

0x0000000198245288 dispatch_onceJ + 60 

1609 ==> 

17 

UIKit 

0x00000001 8ec3825c JJISharedlmageSetLoadFactor + 

1610 ==> 

18 

UIKit 

0x00000001 8ec3661 c <redacted> + 2828 

1611 ==> 

19 

UIKit 

0x00000001 8ec35094 <redacted> + 876 

1612 ==> 

20 

UIKit 

0x00000001 8ec34c84 UlApplicationlnstantiateSingleton - 

1613 ==> 

21 

UIKit 

0x00000001 8ec33ef8 UlApplicationMain + 660 

1614 ==> 

22 

Setup 

0x00000001 000925C0 Setup + 9664 

1615 ==> 

23 

libdyld.dylib 

0x0000000 19825faa0 <redacted> + 4 


The goal is to gain execution by building a BOM file that'll make the parser crash. The file loading code seems pretty 
solid and a simple fuzzer didn't yield interesting bugs. Here's a few of the crashes that the fuzzer was able to get by 
building invalid BOM Files. 

78 /Bom/Bom-1 93. 6/Common/BOMSystemCmds.c:27] malloc: Cannot allocate memory 
1260 /Bom/Bom-1 93. 6/Storage/BOMStorage.c:326] test.bom is not a BOMStorage file 
6 /Bom/Bom-1 93. 6/Storage/BOMStream.c:280] buffer overflow! 

606 /Bom/Bom-1 93. 6/Storage/BOMStream.c:334] buffer overflow! 
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